From gniibe at fsij.org Mon Jun 2 09:55:11 2014 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 02 Jun 2014 16:55:11 +0900 Subject: gnupg 1.4 decryption with smartcard for anonymous recipient In-Reply-To: <87vbsnuqh1.fsf@vigenere.g10code.de> References: <1401456084.28909.2.camel@latx1.gniibe.org> <87vbsnuqh1.fsf@vigenere.g10code.de> Message-ID: <1401695711.1544.1.camel@cfw2.gniibe.org> On 2014-05-30 at 19:27 +0200, Werner Koch wrote: > I would suggest to make it more explicit. Best would be to detect the > try-all-secret case and suppress the error message. Something like this > (not at all tested): Thank you. Your patch works fine with a change of g10/cardglue.h for proto type change of agent_scd_pkdecrypt. -- From wk at gnupg.org Tue Jun 3 11:29:11 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Jun 2014 11:29:11 +0200 Subject: [Announce] GnuPG 2.0.23 released Message-ID: <878upes5nc.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.23. This is a maintenance release with a few new features. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.14) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). GnuPG-2 works best on GNU/Linux and *BSD systems but is also available for other Unices, Microsoft Windows and Mac OS X. What's New in 2.0.23 ==================== * gpg: Reject signatures made using the MD5 hash algorithm unless the new option --allow-weak-digest-algos or --pgp2 are given. * gpg: Do not create a trustdb file if --trust-model=always is used. * gpg: Only the major version number is by default included in the armored output. * gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the communication with the gpg-agent. * gpg: The format of the fallback key listing ("gpg KEYFILE") is now more aligned to the regular key listing ("gpg -k"). * gpg: The option--show-session-key prints its output now before the decryption of the bulk message starts. * gpg: New %U expando for the photo viewer. * gpgsm: Improved handling of re-issued CA certificates. * scdaemon: Various fixes for pinpad equipped card readers. * Minor bug fixes. Getting the Software ==================== Please follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 2.0.23 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.23.tar.bz2 (4196k) gnupg-2.0.23.tar.bz2.sig GnuPG source compressed using BZIP2 and its OpenPGP signature. gnupg-2.0.22-2.0.23.diff.bz2 (53k) A patch file to upgrade a 2.0.22 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. A Windows version will eventually be released at https://gpg4win.org . Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.23.tar.bz2 you would use this command: gpg --verify gnupg-2.0.23.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.23.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.23.tar.bz2 and check that the output matches the first line from the following list: c90e47ab95a40dd070fd75faef0a05c7b679553b gnupg-2.0.23.tar.bz2 e02cfab2bc046f9fac89eef098c34f58b5745d20 gnupg-2.0.22-2.0.23.diff.bz2 Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at https://www.gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://www.gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Almost all mail clients support GnuPG-2. Mutt users may want to use the configure option "--enable-gpgme" during build time and put a "set use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: Maintaining and improving GnuPG is costly. For more than a decade, g10 Code GmbH, a German company owned and headed by GnuPG's principal author Werner Koch, is bearing the majority of these costs. To help them carry on this work, they need your support. See https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From gniibe at fsij.org Thu Jun 5 06:58:50 2014 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 05 Jun 2014 13:58:50 +0900 Subject: Using OpenPGP keyserver (or WoT) to distribute SSH Key Message-ID: <1401944330.1525.4.camel@cfw2.gniibe.org> Hello, I'm using the SSH-agent feature of GPG-agent to authenticate my OpenSSH access daily. For smartcard/token users or users of GnuPG development branch, it might be standard practice already. For non smartcard/token users, it is possible to use the feature, once using monkysphere to (generate authentication subkey and) put it under control of the SSH-agent feature of GPG-agent. I think that this is useful feature for everyone. Since some people are not convinced, I wrote a tool to cover other users who already have SSH RSA keys and want to stick with them. Attached is a tool which add OpenPGP authentication subkey (you need other *.py from Gnuk distribution to use this script). Here's how to use this tool to convert your existing SSH RSA keys. (1) Prepare your desktop environment for GPG-agent as ssh-agent Enable ssh-support of GPG-agent and let it serve as SSH agent. Please see [0] for how to do that in Debian Wheezy. (2) Convert your SSH secret key into GnuPG. Check you're using ssh-agent feature of GPG-agent. You should have an environment variable like: SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh Then, invoke ssh-add command: $ ssh-add $HOME/.ssh/id_rsa You will be asked two pass phrases, one to decrypt SSH private key, another to encrypt this key under GnuPG. Your private key is now under $HOME/.gnupg/private-keys-v1.d directory. (3) Export your GPG key $ gpg --export-options export-minimal --export YOUR_ID >/tmp/mykey.gpg (4) Attach authentication key to your (exported) GPG key $ python add_openpgp_authkey_from_gpgssh.py /tmp/mykey.gpg You will be asked a pass phrase for signing your subkey. (5) Import your key $ gpg --import /tmp/mykey.gpg Now, your OpenPGP keyring has your key with authentication subkey. You can upload your public key with authentication subkey attached to keyserver. Then, when your friend wants to give SSH access to you (given the situation he has validated your OpenPGP key already), he can do: $ gpg --refresh-key # to get your updated key $ gpgkey2ssh YOUR_ID | sed -e s/COMMENT/YOUR_MAIL_ADDRESS/ >> ~your_username/.ssh/authorized_key Well, I know that the tool gpgkey2ssh is just for debugging purpose. I just want to show OpenPGP keyserver is useful. I maintain this tool in Gnuk, under tool/ directory. [0] http://www.gniibe.org/memo/software/ssh/ssh-gpg.html#use-gpg-agent-for-ssh-agent-service -- -------------- next part -------------- A non-text attachment was scrubbed... Name: add_openpgp_authkey_from_gpgssh.py Type: text/x-python Size: 6971 bytes Desc: not available URL: From bernhard at intevation.de Thu Jun 5 11:53:51 2014 From: bernhard at intevation.de (Bernhard Reiter) Date: Thu, 5 Jun 2014 11:53:51 +0200 Subject: End-to-End Chromium extension for OpenPGP Message-ID: <20140605095350.GA29039@intevation.de> Hi Devs, I've started a section at http://wiki.gnupg.org/OtherFreeSoftwareOpenPGP about Google's new javascript-implementation "End-to-End". Their use of ECC by default raises the priority to get GnuPG 2.1 with ECC ready for production. If you have more results from examining End-to-End, please add them to the wiki. I'd be interesting to know if they can use RSA, are complatible and how good their isolation from the server is. Best Regards, Bernhard -- www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member) Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From wk at gnupg.org Thu Jun 5 17:55:23 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 05 Jun 2014 17:55:23 +0200 Subject: [Announce] A new Beta of GnuPG 2.1 is now available Message-ID: <87oay7nyfo.fsf@vigenere.g10code.de> Hello! I just released the fourth *beta version* of GnuPG 2.1. It has been released to give you the opportunity to check out new features and a new beta was due anyway after 30 months. If you need a stable and fully maintained version of GnuPG, you should use version 2.0.23 or 1.4.16. This versions is marked as BETA and as such it should in general not be used for real work. However, the core functionality is solid enough for a long time and I am using this code base for a couple of years now. What's new in 2.1.0-beta442 since beta3 ======================================= * gpg: Add experimental signature support using curve Ed25519 and with a patched Libgcrypt also encryption support with Curve25519. * gpg: Allow use of Brainpool curves. * gpg: Accepts a space separated fingerprint as user ID. This allows to copy and paste the fingerprint from the key listing. * gpg: The hash algorithm is now printed for signature records in key listings. * gpg: Reject signatures made using the MD5 hash algorithm unless the new option --allow-weak-digest-algos or --pgp2 are given. * gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the communication with the gpg-agent. * gpg: Changed the format of key listings. To revert to the old format the option --legacy-list-mode is available. * gpg: New option --pinentry-mode. * gpg: Fixed decryption using an OpenPGP card. * gpg: Fixed bug with deeply nested compressed packets. * gpg: Only the major version number is by default included in the armored output. * gpg: Do not create a trustdb file if --trust-model=always is used. * gpg: Protect against rogue keyservers sending secret keys. * gpg: The format of the fallback key listing ("gpg KEYFILE") is now more aligned to the regular key listing ("gpg -k"). * gpg: The option--show-session-key prints its output now before the decryption of the bulk message starts. * gpg: New %U expando for the photo viewer. * gpg,gpgsm: New option --with-secret. * gpgsm: By default the users are now asked via the Pinentry whether they trust an X.509 root key. To prohibit interactive marking of such keys, the new option --no-allow-mark-trusted may be used. * gpgsm: New commands to export a secret RSA key in PKCS#1 or PKCS#8 format. * gpgsm: Improved handling of re-issued CA certificates. * agent: The included ssh agent does now support ECDSA keys. * agent: New option --enable-putty-support to allow gpg-agent on Windows to act as a Pageant replacement with full smartcard support. * scdaemon: New option --enable-pinpad-varlen. * scdaemon: Various fixes for pinpad equipped card readers. * scdaemon: Rename option --disable-pinpad (was --disable-keypad). * scdaemon: Better support fo CCID readers. Now, internal CCID driver supports readers with no auto configuration feature. * dirmngr: Removed support for the original HKP keyserver which is not anymore used by any site. * dirmngr: Improved support for keyserver pools. * tools: New option --dirmngr for gpg-connect-agent. * The GNU Pth library has been replaced by the new nPth library. * Support installation as portable application under Windows. * All kind of other improvements - see the git log. Getting the Software ==================== GnuPG 2.1-beta442 is available at ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta442.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0-beta442.tar.bz2.sig and soon on all mirrors . Please read the README file ! Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.23.tar.bz2 you would use this command: gpg --verify gnupg-2.1.0-beta442.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.23.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.1.0-beta442.tar.bz2 and check that the output matches this: 656fef6454972cb91741c37a0fd19cd9ade9db9c gnupg-2.1.0-beta442.tar.bz2 Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at https://www.gnupg.org/documentation/manuals/gnupg-devel/ The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Almost all mail clients support GnuPG-2. Mutt users may want to use the configure option "--enable-gpgme" during build time and put a "set use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html Maintaining and improving GnuPG is costly. For more than a decade, g10 Code GmbH, a German company owned and headed by GnuPG's principal author Werner Koch, is bearing the majority of these costs. To help them carry on this work, they need your support. See https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. The commits since the last beta are by: 329 Werner Koch 68 NIIBE Yutaka 13 Ben Kibbey 8 David Shaw 8 Marcus Brinkmann 4 Jim Meyering 3 David Pr?vot 2 Daniel Kahn Gillmor 2 Marcus Brinkmann 1 Christian Aistleitner 1 Daiki Ueno 1 Hans-Christoph Steiner 1 Ian Abbott 1 Jonas Borgstr?m Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Thu Jun 5 19:36:21 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 05 Jun 2014 19:36:21 +0200 Subject: Using OpenPGP keyserver (or WoT) to distribute SSH Key In-Reply-To: <1401944330.1525.4.camel@cfw2.gniibe.org> (NIIBE Yutaka's message of "Thu, 05 Jun 2014 13:58:50 +0900") References: <1401944330.1525.4.camel@cfw2.gniibe.org> Message-ID: <87fvjjntre.fsf@vigenere.g10code.de> On Thu, 5 Jun 2014 06:58, gniibe at fsij.org said: > Your private key is now under $HOME/.gnupg/private-keys-v1.d > directory. [...] > Now, your OpenPGP keyring has your key with authentication subkey. > You can upload your public key with authentication subkey attached to > keyserver. Then, when your friend wants to give SSH access to you FWIW, with GnuPG 2.1 there is an easy way to achieve the same: $ gpg --edit-key B702BE6D [...] pub ed25519/B702BE6D created: 2014-06-05 expires: never usage: SCA trust: ultimate validity: unknown [ unknown] (1). reset the net test 2 Please note that the shown key validity is not necessarily correct unless you restart the program. Well, that is my test installation thus the Ed25519 key. gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 13 The 13 is the important thing. Enter the keygrip: 3D6592BF45DC73BD876714A28FD4639282E212E2 The keygrip is easily available by looking at ~/.gnupg/sshcontrol . Possible actions for a DSA key: Sign Authenticate Current allowed actions: Sign (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? a Sure we want to flag it for authentication. Possible actions for a DSA key: Sign Authenticate Current allowed actions: Sign Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y gpg: WARNING: using experimental public key algorithm EDDSA The warning is due to the primary key. pub ed25519/B702BE6D created: 2014-06-05 expires: never usage: SCA trust: ultimate validity: unknown sub dsa1024/1C1F0160 created: 2014-06-05 expires: never usage: SA [ unknown] (1). reset the net test 2 gpg> save Voila, here we are. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Thu Jun 5 19:45:44 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 05 Jun 2014 19:45:44 +0200 Subject: Using OpenPGP keyserver (or WoT) to distribute SSH Key In-Reply-To: <87fvjjntre.fsf@vigenere.g10code.de> References: <1401944330.1525.4.camel@cfw2.gniibe.org> <87fvjjntre.fsf@vigenere.g10code.de> Message-ID: <2421326.yU0axAmLgG@inno> Am Do 05.06.2014, 19:36:21 schrieb Werner Koch: > trust: ultimate validity: unknown Now that's kind of funny, isn't it? Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Thu Jun 5 23:09:20 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 05 Jun 2014 23:09:20 +0200 Subject: Using OpenPGP keyserver (or WoT) to distribute SSH Key In-Reply-To: <2421326.yU0axAmLgG@inno> (Hauke Laging's message of "Thu, 05 Jun 2014 19:45:44 +0200") References: <1401944330.1525.4.camel@cfw2.gniibe.org> <87fvjjntre.fsf@vigenere.g10code.de> <2421326.yU0axAmLgG@inno> Message-ID: <87vbsfm5bz.fsf@vigenere.g10code.de> On Thu, 5 Jun 2014 19:45, mailinglisten at hauke-laging.de said: > Am Do 05.06.2014, 19:36:21 schrieb Werner Koch: > >> trust: ultimate validity: unknown > > Now that's kind of funny, isn't it? Well, that is because I redacted the intial warnings: $ gpg --edit-key B702BE6D [...] pub ed25519/B702BE6D The [...] expands to [...] gpg: please do a --check-trustdb which due to my standard use of "no-auto-check-trustdb" in gpg.conf and that there is no cron job running on that test system Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bernhard at intevation.de Fri Jun 6 10:46:54 2014 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 6 Jun 2014 10:46:54 +0200 Subject: GnuPG 2.1 and Re: End-to-End Chromium extension for OpenPGP In-Reply-To: <20140605095350.GA29039@intevation.de> References: <20140605095350.GA29039@intevation.de> Message-ID: <201406061047.02319.bernhard@intevation.de> Wow, On Thursday 05 June 2014 at 11:53:51, Bernhard Reiter wrote: > Their use of ECC by default > raises the priority to get GnuPG 2.1 with ECC > ready for production. ... some six hours later ... On Thursday 05 June 2014 at 17:55:23, Werner Koch wrote: > I just released the fourth *beta version* of GnuPG 2.1. It has been > released to give you the opportunity to check out new features and > a new beta was due anyway after 30 months. Thanks Werner and congratulations to the new beta! Best Regards, Bernhard -- www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member) Intevation GmbH, Osnabr?ck, Germany; Amtsgericht Osnabr?ck, HRB 18998 Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From bjk at luxsci.net Sun Jun 8 01:50:42 2014 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 7 Jun 2014 19:50:42 -0400 Subject: [PATCH] agent: change protection flag character to a better indicator. Message-ID: <1402185062-1343615.1521297.fs57NogDP024731@rs146.luxsci.com> The flag is easier to understand (for me at least). Just wanted to be sure before pushing since a new beta was just released. diff --git a/agent/command.c b/agent/command.c index e17232e..6cd311e 100644 --- a/agent/command.c +++ b/agent/command.c @@ -1038,7 +1038,7 @@ static const char hlp_keyinfo[] = "\n" "PROTECTION describes the key protection type:\n" " 'P' - The key is protected with a passphrase,\n" - " 'C' - The key is not protected,\n" + " 'N' - The key is not protected,\n" " '-' - Unknown protection.\n" "\n" "FPR returns the formatted ssh-style fingerprint of the key. It is only\n" @@ -1109,7 +1109,7 @@ do_one_keyinfo (ctrl_t ctrl, const unsigned char *grip, assuan_context_t ctx, { switch (keytype) { - case PRIVATE_KEY_CLEAR: protectionstr = "C"; keytypestr = "D"; + case PRIVATE_KEY_CLEAR: protectionstr = "N"; keytypestr = "D"; break; case PRIVATE_KEY_PROTECTED: protectionstr = "P"; keytypestr = "D"; break; -- Ben Kibbey From thomasjakway1 at gmail.com Sun Jun 8 02:24:38 2014 From: thomasjakway1 at gmail.com (Thomas Jakway) Date: Sat, 07 Jun 2014 17:24:38 -0700 Subject: Getting Involved Message-ID: <5393AD46.1010902@gmail.com> Hi! I'm a programmer who wants to learn more about getting involved in GnuPG. I use the program on a daily basis and feel like I should contribute back. Does anyone have any tips or advice for getting involved on the project? GnuPG is a large project and it's pretty daunting without knowing where to start. Sincerely, Thomas Jakway -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernhard at intevation.de Tue Jun 10 16:26:09 2014 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 10 Jun 2014 16:26:09 +0200 Subject: Getting Involved In-Reply-To: <5393AD46.1010902@gmail.com> References: <5393AD46.1010902@gmail.com> Message-ID: <201406101626.15654.bernhard@intevation.de> Hi Thomas, On Sunday 08 June 2014 at 02:24:38, Thomas Jakway wrote: > Hi! I'm a programmer who wants to learn more about getting involved in > GnuPG. I use the program on a daily basis and feel like I should > contribute back. Does anyone have any tips or advice for getting > involved on the project? GnuPG is a large project and it's pretty > daunting without knowing where to start. welcome to the GnuPG Initiative! Your help is appreciated! In my experience, best is to start in an area where you have an interest in. If you would like to help with the software engineering, my hints are: a) you can try to build GnuPG on your platform of choice a.1) run the tests a.2) think up a new test case and code it (difficult) or b) try to answer a technical question on gnupg-devel or one of the users lists. b.1) pick a question where you need to verify by code reading that this is actually the case b.2) write an example application to demonstrate the point (difficult) or c) write blog entry tutorial about how to use gpgme to do something or (extra difficult) d) go to the issue tracker, pick an issue with a patch and try to push the envelope. E.g. by building the patch, testing it, write a comment. Best Regards, Bernhard -- www.intevation.de/~bernhard (CEO) www.fsfe.org (Founding GA Member) Intevation GmbH, Osnabr?ck, Germany; Amtsgericht Osnabr?ck, HRB 18998 Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part. URL: From vecnamcclaudio at gmail.com Thu Jun 12 10:53:54 2014 From: vecnamcclaudio at gmail.com (=?UTF-8?B?yaPEmcaIxp7EhQ==?=) Date: Thu, 12 Jun 2014 10:53:54 +0200 Subject: What's a FAILED marker ? Message-ID: Hi all (first post. "hi I'm a developer") In my PGP key: http://pgp.mit.edu/pks/lookup?op=get&search=0xB842093DC6765430 In a section (less before the half of the page) there are a list of "////////////" of three lines [*], if you try to import that key: dummy at qq:~$ gpg --keyserver pgp.mit.edu --recv-key 0xB842093DC6765430 gpg: requesting key C6765430 from hkp server pgp.mit.edu gpg: key C6765430: public key "vecna (a Random GlobaLeks Developer) " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 when I'm exporting (gpg -a --export claudio.agosti) the key with this 'dummy' user, I'm getting the same output of the keyserver. If I'm exporting this key with the user having also the privacy key pair, the output differ, and contain this format: ...SOMEARMOR +TKEY {MY FINGERPRINT} FAILED {A LOT OF "/"} SOME ARMOR AGAIN... Here pasted entirely: https://raw.githubusercontent.com/vecna/helpagainsttrack/80b52a9cee67e43c7c3a3dab395751093814e03c/vecna_341F1A8CE2B4F4F4174D7C21B842093DC6765430.asc at 4/5 of the file the error is present I've checked in gnupg code to figure out what's "FAILED", because my key is working with openpgp.js and gnupg. in g10/keyserver.c there are this comment: /* Slurp up all the key data. In the future, it might be nice to look for KEY foo OUTOFBAND and FAILED indicators... */ I've not find exactly what is happening, failing to backtrack the issue (in example, the "///" is never printed by the gnupg code). and why the presence of my secret key in the secring influence my public key output. I've not found documentation about it, if someone has some pointer, thank you. best, Claudio ~ vecna [*] I'm assure I've not generated my PGP key with some patch to change armor representation :) -- This account is intended for mailing list only. Personal email via: vecna at globaleaks dot org -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian.fiskerstrand at sumptuouscapital.com Thu Jun 12 16:18:06 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 12 Jun 2014 16:18:06 +0200 Subject: [PATCH] g10/call-agent.c: Fix-a-couple-of-spelling-errors.patch Message-ID: <5399B69E.2040900@sumptuouscapital.com> Please find enclosed a trivial patch fixing a few spelling errors in g10/call-agent.c. -- ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "Be a yardstick of quality. Some people aren't used to an environment where excellence is expected." (Steve Jobs) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-g10-call-agent.c-Fix-a-couple-of-spelling-errors.patch Type: text/x-patch Size: 1116 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Jun 17 12:01:14 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jun 2014 12:01:14 +0200 Subject: [PATCH] agent: change protection flag character to a better indicator. In-Reply-To: <1402185062-1343615.1521297.fs57NogDP024731@rs146.luxsci.com> (Ben Kibbey's message of "Sat, 7 Jun 2014 19:50:42 -0400") References: <1402185062-1343615.1521297.fs57NogDP024731@rs146.luxsci.com> Message-ID: <87sin3svmd.fsf@vigenere.g10code.de> On Sun, 8 Jun 2014 01:50, bjk at luxsci.net said: > The flag is easier to understand (for me at least). Just wanted to be > sure before pushing since a new beta was just released. I'd prefer not to apply it. It has been around for too long and 'C' for Cipher is not too bad. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Jun 17 12:10:10 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jun 2014 12:10:10 +0200 Subject: Makefile change to fix my location compilation issue In-Reply-To: (Colin Davis's message of "Mon, 26 May 2014 03:28:28 -0400") References: Message-ID: <87oaxrsv7h.fsf@vigenere.g10code.de> Hi! On Mon, 26 May 2014 09:28, e1ven at e1ven.com said: > > -t_common_ldadd = libcommon.a ../gl/libgnu.a \ > +t_common_ldadd = libcommon.a libcommon_a-init.o ../gl/libgnu.a \ That smells like a missing ranlib call. However, automake generated makefiles call ranlib. What version of GnupG are you using. Do you use the GIT versions? Which automake, autoconf in that case? Can you please send the respective part of the compile log and config.log ? My apologies in advance if you already sent it and I lost track of it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jun 23 14:59:25 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2014 14:59:25 +0200 Subject: gpg 1.4.x and 2.0.x differ in output with --with-colons --check-sigs In-Reply-To: <1375531376.492.1.camel@haktar.debian.wgdd.de> (Daniel Leidert's message of "Sat, 03 Aug 2013 14:02:56 +0200") References: <87bo67dbir.fsf@alice.fifthhorseman.net> <1374400742.4984.3.camel@haktar.debian.wgdd.de> <87fvv27m2w.fsf@vigenere.g10code.de> <1375531376.492.1.camel@haktar.debian.wgdd.de> Message-ID: <8761jrlr2q.fsf@vigenere.g10code.de> On Sat, 3 Aug 2013 14:02, daniel.leidert.spam at gmx.net said: > Maybe in 1.4.15? If you don't plan to add this patch to the 1.4 series > I'm hesitating to apply it to the Debian package. Finally applied to 1.4 - will go into 1.4.17. Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jun 23 15:42:12 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2014 15:42:12 +0200 Subject: [PATCH v6 (stable-1-4)] filter and verify keyserver responses In-Reply-To: <20140129235743.GA30808@zirkel.wertarbyte.de> (Stefan Tomanek's message of "Thu, 30 Jan 2014 00:57:43 +0100") References: <20140129235743.GA30808@zirkel.wertarbyte.de> Message-ID: <871tuflp3f.fsf@vigenere.g10code.de> On Thu, 30 Jan 2014 00:57, tomanek at internet-sicherheit.de said: > This changes introduces import functions that apply a constraining > filter to imported keys. These filters can verify the fingerprints of > the keys returned before importing them into the keyring, ensuring that > the keys fetched from the keyserver are in fact those selected by the > user beforehand. Applied to 1.4. Thanks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jun 23 18:21:30 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jun 2014 18:21:30 +0200 Subject: [Announce] [security fix] GnuPG 1.4.17 released Message-ID: <87tx7bk35h.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.17. This release includes a *security fix* to stop a possible DoS using garbled compressed data packets which can be used to put gpg into an infinite loop. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, smartcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build, and also better portable to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.23) it comes with no support for S/MIME, Secure Shell, or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. What's New =========== * Avoid DoS due to garbled compressed data packets. * Screen keyserver reponses to avoid import of unwanted keys by rogue servers. * Add hash algorithms to the "sig" records of the colon output. * More specific reason codes for INV_RECP status. * Fixes for PC/SC access on Apple. * Minor bug fixes. Getting the Software ==================== First of all, decide whether you really need GnuPG version 1.4.x - most users are better off with the modern GnuPG 2.0.x version. Then follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 1.4.17 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org and on its mirrors you should find the following new files in the *gnupg* directory: - The GnuPG source code compressed using BZIP2 and its OpenPGP signature: gnupg-1.4.17.tar.bz2 (3563k) gnupg-1.4.17.tar.bz2.sig - The GnuPG source code compressed using GZIP and its OpenPGP signature: gnupg-1.4.17.tar.gz (4929k) gnupg-1.4.17.tar.gz.sig - A patch file to upgrade a 1.4.16 GnuPG source tree. This patch does not include updates of the language files. gnupg-1.4.16-1.4.17.diff.bz2 (21k) Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: - GnuPG compiled for Microsoft Windows and its OpenPGP signature. This is a command line only version; the source files are the same as above. gnupg-w32cli-1.4.17.exe (1574k) gnupg-w32cli-1.4.17.exe.sig Note, that this is a minimal installer and unless you are only in need for the simple the gpg binary, you are better off using the full featured installer at https://www.gpg4win.org . Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.17.tar.bz2 you would use this command: gpg --verify gnupg-1.4.17.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com | gpg --import or using a keyserver like gpg --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.17.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.17.tar.bz2 and check that the output matches the first line from the following list: 830c7f749ad92d6577c521addea5e5d920128d42 gnupg-1.4.17.tar.bz2 d5b3c25901f182ea20c31f09669f44681c3aaa89 gnupg-1.4.17.tar.gz ff761de4efc3876c57199612c24b677208da7c10 gnupg-1.4.16-1.4.17.diff.bz2 b2f0db9eebf028d27d0a119334e5e357773dd0d6 gnupg-w32cli-1.4.17.exe Internationalization ==================== GnuPG comes with support for 29 languages. The Chinese (Simple and Traditional), Czech, Danish, Dutch, French, German, Norwegian, Polish, Romanian, Russian, Spanish, Swedish, Ukrainian, and Turkish translations are close to be complete. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, donating money, spreading the word, or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Jun 24 16:01:18 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 24 Jun 2014 16:01:18 +0200 Subject: [Announce] [security fix] GnuPG 2.0.24 released Message-ID: <87zjh2h0ep.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.24. This release includes a *security fix* to stop a possible DoS using garbled compressed data packets which can be used to put gpg into an infinite loop. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.17) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). GnuPG-2 works best on GNU/Linux and *BSD systems but is also available for other Unices, Microsoft Windows and Mac OS X. What's New in 2.0.24 ==================== * gpg: Avoid DoS due to garbled compressed data packets. * gpg: Screen keyserver responses to avoid importing unwanted keys from rogue servers. * gpg: The validity of user ids is now shown by default. To revert this add "list-options no-show-uid-validity" to gpg.conf. * gpg: Print more specific reason codes with the INV_RECP status. * gpg: Allow loading of a cert only key to an OpenPGP card. * gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt 1.6. * Minor bug fixes. Getting the Software ==================== Please follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 2.0.24 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org and on its mirrors you should find the following new files in the gnupg/ directory: - The GnuPG-2 source code compressed using BZIP2 and its OpenPGP signature: gnupg-2.0.24.tar.bz2 (4201k) gnupg-2.0.24.tar.bz2.sig - A patch file to upgrade a 2.0.23 GnuPG source tree. This patch does not include updates of the language files. gnupg-2.0.23-2.0.24.diff.bz2 (20k) Note, that we don't distribute gzip compressed tarballs for GnuPG-2. A Windows version will eventually be released at https://gpg4win.org . Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.24.tar.bz2 you would use this command: gpg --verify gnupg-2.0.24.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.24.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.24.tar.bz2 and check that the output matches the first line from the following list: 010e027d5f622778cadc4c124013fe515ed705cf gnupg-2.0.24.tar.bz2 594d7f91ba4fc215345f18afee46c4aa9f2b3303 gnupg-2.0.23-2.0.24.diff.bz2 Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at https://www.gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://www.gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Almost all mail clients support GnuPG-2. Mutt users may want to use the configure option "--enable-gpgme" during build time and put a "set use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dkg at fifthhorseman.net Tue Jun 24 23:46:58 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 24 Jun 2014 17:46:58 -0400 Subject: [PATCH] fix logging in t-version.c Message-ID: <1403646418-24861-1-git-send-email-dkg@fifthhorseman.net> --- tests/t-version.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/t-version.c b/tests/t-version.c index d6c6399..ce8f41b 100644 --- a/tests/t-version.c +++ b/tests/t-version.c @@ -82,7 +82,7 @@ main (int argc, char **argv) } if (gpg_error_check_version ("15")) { - fprintf (stderr, "gpg_error_check_version did not return an error" + fprintf (stderr, "%s: gpg_error_check_version did not return an error" " for a newer version\n", logpfx); errorcount++; } -- 2.0.0 From dkg at fifthhorseman.net Tue Jun 24 23:49:57 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 24 Jun 2014 17:49:57 -0400 Subject: libgpg-error: Re: [PATCH] fix logging in t-version.c In-Reply-To: <1403646418-24861-1-git-send-email-dkg@fifthhorseman.net> References: <1403646418-24861-1-git-send-email-dkg@fifthhorseman.net> Message-ID: <87tx7arn96.fsf@alice.fifthhorseman.net> Hi folks-- sorry, the preceding patch to fix the logging in t-version.c was for libgpg-error, not for any other GnuPG-related development! --dkg From dkg at fifthhorseman.net Wed Jun 25 00:39:49 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 24 Jun 2014 18:39:49 -0400 Subject: libgpg-error strerror weirdness [was: Re: libgpg-error: Re: [PATCH] fix logging in t-version.c] In-Reply-To: <87tx7arn96.fsf@alice.fifthhorseman.net> References: <1403646418-24861-1-git-send-email-dkg@fifthhorseman.net> <87tx7arn96.fsf@alice.fifthhorseman.net> Message-ID: <87r42erky2.fsf@alice.fifthhorseman.net> On Tue 2014-06-24 17:49:57 -0400, Daniel Kahn Gillmor wrote: > sorry, the preceding patch to fix the logging in t-version.c was for > libgpg-error, not for any other GnuPG-related development! When trying to build libgpg-error 1.13 on debian testing/unstable systems with gcc 4.9, i also notice this weird artifact: gcc -DHAVE_CONFIG_H -I. -I.. -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -c gen-posix-lock-obj.c gen-posix-lock-obj.c: In function ?main?: gen-posix-lock-obj.c:106:7: warning: format ?%s? expects argument of type ?char *?, but argument 3 has type ?int? [-Wformat=] fprintf (stderr, PGM ": error writing to stdout: %s\n", strerror (errno)); ^ i'm used to strerror returning a char*, not an int -- maybe there is some sort of weird macro wrapper transforming strerror into strerror_r or something? Anyway, this code doesn't ship in any user-facing binaries, afaict -- it's just a C code generator itself, so i don't think this is a big deal, i just wanted to point it out in case anyone knows more about what's going on here. regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 948 bytes Desc: not available URL: From wk at gnupg.org Wed Jun 25 08:33:07 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 25 Jun 2014 08:33:07 +0200 Subject: libgpg-error strerror weirdness In-Reply-To: <87r42erky2.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Tue, 24 Jun 2014 18:39:49 -0400") References: <1403646418-24861-1-git-send-email-dkg@fifthhorseman.net> <87tx7arn96.fsf@alice.fifthhorseman.net> <87r42erky2.fsf@alice.fifthhorseman.net> Message-ID: <877g45h524.fsf@vigenere.g10code.de> > i'm used to strerror returning a char*, not an int -- maybe there is Add #include for the strerror() prototype. (fix already pushed). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bisson at archlinux.org Wed Jun 25 10:24:45 2014 From: bisson at archlinux.org (Gaetan Bisson) Date: Wed, 25 Jun 2014 10:24:45 +0200 Subject: all keyserver replies rejected by import filter Message-ID: <20140625082445.GA27529@aji> Hi, GnuPG 2.0.24 compiled against libgcrypt 1.6.1 exhibits a curious behavior when refreshing keys from a keyserver. In a nutshell, that's how things go: $ gpg --refresh-keys gpg: refreshing 48 keys from hkp://pgp.mit.edu gpg: requesting key 00F0D0F0 from hkp server pgp.mit.edu gpg: requesting key 1E42B367 from hkp server pgp.mit.edu gpg: requesting key 4F25E3B6 from hkp server pgp.mit.edu ... gpg: key 00F0D0F0: "Gaetan Bisson " not changed gpg: key 1E42B367: rejected by import filter gpg: key 4F25E3B6: rejected by import filter ... In other words, any public key other than mine gets rejected by the import filter. Other Arch Linux users who cared to try gnupg-2.0.24 (currently in our [testing] repository) reported the same problem. Is there something we can do to prevent this? If it matters, our package is built against the most recent stable release of libraries gnupg depends on (libksba-1.3.0, libgcrypt-1.6.1, pth-2.0.7, libassuan-2.1.1, dirmngr-1.1.1) and here is our build script: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnupg For the record, this issue was first reported here: https://bugs.archlinux.org/task/40968 Cheers. -- Gaetan From bisson at archlinux.org Wed Jun 25 11:03:01 2014 From: bisson at archlinux.org (Gaetan Bisson) Date: Wed, 25 Jun 2014 11:03:01 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: <20140625082445.GA27529@aji> References: <20140625082445.GA27529@aji> Message-ID: <20140625090301.GD30511@aji> Hi, GnuPG 2.0.24 compiled against libgcrypt 1.6.1 exhibits a curious behavior when refreshing keys from a keyserver. In a nutshell, that's how things go: $ gpg --refresh-keys gpg: refreshing 48 keys from hkp://pgp.mit.edu gpg: requesting key 00F0D0F0 from hkp server pgp.mit.edu gpg: requesting key 1E42B367 from hkp server pgp.mit.edu gpg: requesting key 4F25E3B6 from hkp server pgp.mit.edu ... gpg: key 00F0D0F0: "Gaetan Bisson " not changed gpg: key 1E42B367: rejected by import filter gpg: key 4F25E3B6: rejected by import filter ... In other words, any public key other than mine gets rejected by the import filter. Other Arch Linux users who cared to try gnupg-2.0.24 (currently in our [testing] repository) reported the same problem. Is there something we can do to prevent this? If it matters, our package is built against the most recent stable release of libraries gnupg depends on (libksba-1.3.0, libgcrypt-1.6.1, pth-2.0.7, libassuan-2.1.1, dirmngr-1.1.1) and here is our build script: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnupg For the record, this issue was first reported here: https://bugs.archlinux.org/task/40968 Cheers. -- Gaetan From bisson at archlinux.org Wed Jun 25 10:24:45 2014 From: bisson at archlinux.org (Gaetan Bisson) Date: Wed, 25 Jun 2014 10:24:45 +0200 Subject: all keyserver replies rejected by import filter Message-ID: <20140625082445.GA27529@aji> Hi, GnuPG 2.0.24 compiled against libgcrypt 1.6.1 exhibits a curious behavior when refreshing keys from a keyserver. In a nutshell, that's how things go: $ gpg --refresh-keys gpg: refreshing 48 keys from hkp://pgp.mit.edu gpg: requesting key 00F0D0F0 from hkp server pgp.mit.edu gpg: requesting key 1E42B367 from hkp server pgp.mit.edu gpg: requesting key 4F25E3B6 from hkp server pgp.mit.edu ... gpg: key 00F0D0F0: "Gaetan Bisson " not changed gpg: key 1E42B367: rejected by import filter gpg: key 4F25E3B6: rejected by import filter ... In other words, any public key other than mine gets rejected by the import filter. Other Arch Linux users who cared to try gnupg-2.0.24 (currently in our [testing] repository) reported the same problem. Is there something we can do to prevent this? If it matters, our package is built against the most recent stable release of libraries gnupg depends on (libksba-1.3.0, libgcrypt-1.6.1, pth-2.0.7, libassuan-2.1.1, dirmngr-1.1.1) and here is our build script: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnupg For the record, this issue was first reported here: https://bugs.archlinux.org/task/40968 Cheers. -- Gaetan From kristian.fiskerstrand at sumptuouscapital.com Wed Jun 25 12:43:53 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 25 Jun 2014 12:43:53 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: <20140625082445.GA27529@aji> References: <20140625082445.GA27529@aji> Message-ID: Out of curiosity, does the same behavior persist in hkp:// subset.pool.sks-keyservers.net? On Jun 25, 2014 11:42 AM, "Gaetan Bisson" wrote: > Hi, > > GnuPG 2.0.24 compiled against libgcrypt 1.6.1 exhibits a curious > behavior when refreshing keys from a keyserver. In a nutshell, that's > how things go: > > $ gpg --refresh-keys > gpg: refreshing 48 keys from hkp://pgp.mit.edu > gpg: requesting key 00F0D0F0 from hkp server pgp.mit.edu > gpg: requesting key 1E42B367 from hkp server pgp.mit.edu > gpg: requesting key 4F25E3B6 from hkp server pgp.mit.edu > ... > gpg: key 00F0D0F0: "Gaetan Bisson " not changed > gpg: key 1E42B367: rejected by import filter > gpg: key 4F25E3B6: rejected by import filter > ... > > In other words, any public key other than mine gets rejected by the > import filter. Other Arch Linux users who cared to try gnupg-2.0.24 > (currently in our [testing] repository) reported the same problem. > > Is there something we can do to prevent this? > > If it matters, our package is built against the most recent stable > release of libraries gnupg depends on (libksba-1.3.0, libgcrypt-1.6.1, > pth-2.0.7, libassuan-2.1.1, dirmngr-1.1.1) and here is our build script: > > > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnupg > > For the record, this issue was first reported here: > > https://bugs.archlinux.org/task/40968 > > Cheers. > > -- > Gaetan > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Jun 25 13:59:11 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 25 Jun 2014 13:59:11 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: <20140625082445.GA27529@aji> (Gaetan Bisson's message of "Wed, 25 Jun 2014 10:24:45 +0200") References: <20140625082445.GA27529@aji> Message-ID: <87lhslfbe8.fsf@vigenere.g10code.de> On Wed, 25 Jun 2014 10:24, bisson at archlinux.org said: > In other words, any public key other than mine gets rejected by the > import filter. Other Arch Linux users who cared to try gnupg-2.0.24 > (currently in our [testing] repository) reported the same problem. Oh no! I need to spend another day on doing new releases. >From looking at the source the problem seems to be that 5e933008 * gpg: Screen keyserver responses. does only work for single keys. The reason is that the import filter always compares against the first key of the list of specified keys (on-the-fly created by --refresh-keys) and thus only one can pass. Quite a good test for the filter but renders all keyserver multi-key import feature useless. The fix is obvious but doing new releases takes some time. I'll post a patch for testing later. Sorry for the trouble. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bisson at archlinux.org Wed Jun 25 14:11:50 2014 From: bisson at archlinux.org (Gaetan Bisson) Date: Wed, 25 Jun 2014 14:11:50 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: References: <20140625082445.GA27529@aji> Message-ID: <20140625121150.GB685@aji.vesath.org> [2014-06-25 12:43:53 +0200] Kristian Fiskerstrand: > Out of curiosity, does the same behavior persist in hkp:// > subset.pool.sks-keyservers.net? Yes. Any keyserver. -- Gaetan From wk at gnupg.org Wed Jun 25 14:37:58 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 25 Jun 2014 14:37:58 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: <20140625082445.GA27529@aji> (Gaetan Bisson's message of "Wed, 25 Jun 2014 10:24:45 +0200") References: <20140625082445.GA27529@aji> Message-ID: <87fvitf9ll.fsf@vigenere.g10code.de> Hi, please give the batch below a try. It works for me but before I do another release, I would like a second test. Shalom-Salam, Werner >From 044847a0e2013a2833605c1a9f80cfa6ef353309 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Jun 2014 14:33:34 +0200 Subject: [PATCH] gpg: Make screening of keyserver result work with multi-key commands. * g10/keyserver.c (ks_retrieval_filter_arg_s): new. (keyserver_retrieval_filter): Use new struct and check all descriptions. (keyserver_spawn): Pass filter arg suing the new struct. -- This is a fix for commit 5e933008. The old code did only work for a single key. It failed as soon as several keys are specified ("gpg --refresh-keys" or "gpg --recv-key A B C"). --- g10/keyserver.c | 68 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 23 deletions(-) diff --git a/g10/keyserver.c b/g10/keyserver.c index 83a4b95..aa41536 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -982,13 +982,25 @@ direct_uri_map(const char *scheme,unsigned int is_direct) #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\"" +/* Structure to convey the arg to keyserver_retrieval_filter. */ +struct ks_retrieval_filter_arg_s +{ + KEYDB_SEARCH_DESC *desc; + int ndesc; +}; + + /* Check whether a key matches the search description. The filter returns 0 if the key shall be imported. Note that this kind of filter is not related to the iobuf filters. */ static int -keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, void *arg) +keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, + void *opaque) { - KEYDB_SEARCH_DESC *desc = arg; + struct ks_retrieval_filter_arg_s *arg = opaque; + KEYDB_SEARCH_DESC *desc = arg->desc; + int ndesc = arg->ndesc; + int n; u32 keyid[2]; byte fpr[MAX_FINGERPRINT_LEN]; size_t fpr_len = 0; @@ -997,32 +1009,40 @@ keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, void *arg) if (sk) return G10ERR_GENERAL; + if (!ndesc) + return 0; /* Okay if no description given. */ + fingerprint_from_pk (pk, fpr, &fpr_len); keyid_from_pk (pk, keyid); /* Compare requested and returned fingerprints if available. */ - if (desc->mode == KEYDB_SEARCH_MODE_FPR20) - { - if (fpr_len != 20 || memcmp (fpr, desc->u.fpr, 20)) - return G10ERR_GENERAL; - } - else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) - { - if (fpr_len != 16 || memcmp (fpr, desc->u.fpr, 16)) - return G10ERR_GENERAL; - } - else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) - { - if (keyid[0] != desc->u.kid[0] || keyid[1] != desc->u.kid[1]) - return G10ERR_GENERAL; - } - else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) + for (n = 0; n < ndesc; n++) { - if (keyid[1] != desc->u.kid[1]) - return G10ERR_GENERAL; + if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20) + { + if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20)) + return 0; + } + else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16) + { + if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16)) + return 0; + } + else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID) + { + if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1]) + return 0; + } + else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID) + { + if (keyid[1] == desc[n].u.kid[1]) + return 0; + } + else + return 0; } - return 0; + return G10ERR_GENERAL; } @@ -1535,6 +1555,7 @@ keyserver_spawn (enum ks_action action, strlist_t list, KEYDB_SEARCH_DESC *desc, case KS_GETNAME: { void *stats_handle; + struct ks_retrieval_filter_arg_s filterarg; stats_handle=import_new_stats_handle(); @@ -1547,11 +1568,12 @@ keyserver_spawn (enum ks_action action, strlist_t list, KEYDB_SEARCH_DESC *desc, that we don't allow the import of secret keys from a keyserver. Keyservers should never accept or send them but we better protect against rogue keyservers. */ - + filterarg.desc = desc; + filterarg.ndesc = count; import_keys_stream (spawn->fromchild, stats_handle, fpr, fpr_len, (opt.keyserver_options.import_options | IMPORT_NO_SECKEY), - keyserver_retrieval_filter, desc); + keyserver_retrieval_filter, &filterarg); import_print_stats(stats_handle); import_release_stats_handle(stats_handle); -- 1.8.4.3 -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bisson at archlinux.org Wed Jun 25 15:26:28 2014 From: bisson at archlinux.org (Gaetan Bisson) Date: Wed, 25 Jun 2014 15:26:28 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: <87fvitf9ll.fsf@vigenere.g10code.de> References: <20140625082445.GA27529@aji> <87fvitf9ll.fsf@vigenere.g10code.de> Message-ID: <20140625132628.GA2882@aji.vesath.org> [2014-06-25 14:37:58 +0200] Werner Koch: > please give the batch below a try. It works for me but before I do > another release, I would like a second test. It works fine here; thanks! By the way, since you are doing another release, could you consider including the patch from [1]? Apparently the reporter had some issues using the gnupg bug tracker, but the full story is there [2]. I'm only mentioning it because that's the only patch we use in Arch Linux, and I'd love to remove it to make our gnupg entirely vanilla. [1] https://bugs.g10code.com/gnupg/issue1402 [2] https://bugzilla.redhat.com/show_bug.cgi?id=548528 Cheers. -- Gaetan From jerome at jerome.cc Wed Jun 25 16:22:58 2014 From: jerome at jerome.cc (=?ISO-8859-1?Q?J=E9r=F4me_Pinguet?=) Date: Wed, 25 Jun 2014 16:22:58 +0200 Subject: [PATCH v4] filter and verify keyserver responses In-Reply-To: <20131020125323.GT17429@zirkel.wertarbyte.de> References: <20131020125323.GT17429@zirkel.wertarbyte.de> Message-ID: <53AADB42.9070005@jerome.cc> On 20/10/2013 14:53, Stefan Tomanek wrote: > This changes introduces import functions that apply a constraining > filter to imported keys. These filters can verify the fingerprints of > the keys returned before importing them into the keyring, ensuring that > the keys fetched from the keyserver are in fact those selected by the > user beforehand. > > It also prevents the accidental import of secret keys through key server > responses. > Hello! Talking about import filters, is this already implemented or could it be implemented: A filter that imports only keys authenticated by one or more given key(s) (identified by its(their) fingerprint(s))? If this kind of features do not fit in GnuPG's roadmap, maybe someone has already implemented this outside of GnuPG? The real life application is to secure even further a read only private key server used within an organization. In case of compromise of the keyserver, a user won't be able to download a rogue key that has not been authenticated by the organization's key(s). Thanks. J?r?me Pinguet -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 726 bytes Desc: OpenPGP digital signature URL: From bisson at archlinux.org Wed Jun 25 17:11:04 2014 From: bisson at archlinux.org (Gaetan Bisson) Date: Wed, 25 Jun 2014 17:11:04 +0200 Subject: all keyserver replies rejected by import filter In-Reply-To: <20140625132628.GA2882@aji.vesath.org> References: <20140625082445.GA27529@aji> <87fvitf9ll.fsf@vigenere.g10code.de> <20140625132628.GA2882@aji.vesath.org> Message-ID: <20140625151104.GB23224@aji.vesath.org> [2014-06-25 15:26:28 +0200] Gaetan Bisson: > [2014-06-25 14:37:58 +0200] Werner Koch: > > please give the batch below a try. It works for me but before I do > > another release, I would like a second test. > > It works fine here; thanks! The original reporter confirmed it fixes things for him too. -- Gaetan From wk at gnupg.org Wed Jun 25 20:14:39 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 25 Jun 2014 20:14:39 +0200 Subject: [PATCH v4] filter and verify keyserver responses In-Reply-To: <53AADB42.9070005@jerome.cc> (=?utf-8?B?IkrDqXLDtG1l?= Pinguet"'s message of "Wed, 25 Jun 2014 16:22:58 +0200") References: <20131020125323.GT17429@zirkel.wertarbyte.de> <53AADB42.9070005@jerome.cc> Message-ID: <87k384eu0g.fsf@vigenere.g10code.de> On Wed, 25 Jun 2014 16:22, jerome at jerome.cc said: > A filter that imports only keys authenticated by one or more given > key(s) (identified by its(their) fingerprint(s))? No. > keyserver, a user won't be able to download a rogue key that has not > been authenticated by the organization's key(s). Do not rely on the content of the standard keyring. You MUST somehow make sure that the key is authentic - using the keyring is not a repalcement for that. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dkg at fifthhorseman.net Wed Jun 25 23:03:41 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Jun 2014 17:03:41 -0400 Subject: building gnupg master from git (oddities and workarounds) Message-ID: <87lhsksnv6.fsf@alice.fifthhorseman.net> I'm trying to build gnupg from the master branch in git, on an up-to-date debian unstable system. I've read README.GIT. I'm on commit b5f95c1. I build for the first time with: ./autogen.sh --force which tells me i should run: ./configure --sysconfdir=/etc --enable-maintainer-mode --enable-symcryptrun --enable-mailto --enable-gpgtar && make i run that command, and ./configure runs for a while before returning with an error: ... configure: checking system features for estream checking that generated files are newer than configure... done checking that generated files are newer than configure... done configure: creating ./config.status config.status: error: cannot find input file: `m4/Makefile.in' I can work around this with: automake --add-missing and then re-running: ./autogen.sh --force the ./configure command now completes, but produces the following odd message: configure: WARNING: unrecognized options: --enable-mailto and then make runs to completion. Perhaps "automake --add-missing" should be run early on autogen.sh? i'm not sure what to recommend about --enable-mailto. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 948 bytes Desc: not available URL: From steve at gpgtools.org Wed Jun 25 22:13:04 2014 From: steve at gpgtools.org (steve) Date: Wed, 25 Jun 2014 22:13:04 +0200 Subject: key length Message-ID: Hi all, we (GPGTools) had a brief meetup with Nico (he?s contributing to Enigmail) today. He suggested raising the key length default to 4096bit. The idea came via a suggestion from R?diger Wei? on the 30C3 congress (https://www.youtube.com/watch?v=1dhCDJ_LVuY). We just changed the key length default to 4096bit for new keys created with GPG Keychain Access on OS X. We are planning to adjust this default in MacGPG2 for the next stable release. Are there any objections to this? Any drawbacks we didn?t think of? Best regards, Steve @GPGTools https://gpgtools.org -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From martijn.list at gmail.com Wed Jun 25 23:30:29 2014 From: martijn.list at gmail.com (martijn.list) Date: Wed, 25 Jun 2014 23:30:29 +0200 Subject: building gnupg master from git (oddities and workarounds) In-Reply-To: <87lhsksnv6.fsf@alice.fifthhorseman.net> References: <87lhsksnv6.fsf@alice.fifthhorseman.net> Message-ID: <53AB3F75.3040609@gmail.com> On 06/25/2014 11:03 PM, Daniel Kahn Gillmor wrote: > I'm trying to build gnupg from the master branch in git, on an > up-to-date debian unstable system. I've read README.GIT. > > I'm on commit b5f95c1. > > I build for the first time with: > > ./autogen.sh --force > > which tells me i should run: > > ./configure --sysconfdir=/etc --enable-maintainer-mode > --enable-symcryptrun --enable-mailto --enable-gpgtar && make > > i run that command, and ./configure runs for a while before > returning with an error: > > ... configure: checking system features for estream checking that > generated files are newer than configure... done checking that > generated files are newer than configure... done configure: > creating ./config.status config.status: error: cannot find input > file: `m4/Makefile.in' > > I can work around this with: > > automake --add-missing > > and then re-running: > > ./autogen.sh --force > > the ./configure command now completes, but produces the following > odd message: > > configure: WARNING: unrecognized options: --enable-mailto > > and then make runs to completion. > > > > Perhaps "automake --add-missing" should be run early on > autogen.sh? > > i'm not sure what to recommend about --enable-mailto. I'm using the following script with success: https://github.com/Wikinaut/utils/wiki#How_to_compile_GnuPG_gpg_from_the_github_sources Kind regards, Martijn Brinkers -- CipherMail email encryption Open source email encryption gateway with support for S/MIME, OpenPGP and PDF encryption. www.ciphermail.com From rjh at sixdemonbag.org Wed Jun 25 23:33:37 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 25 Jun 2014 17:33:37 -0400 Subject: key length In-Reply-To: References: Message-ID: <53AB4031.4060300@sixdemonbag.org> > we (GPGTools) had a brief meetup with Nico (he?s contributing to > Enigmail) today. He suggested raising the key length default to 4096bit. > The idea came via a suggestion from R?diger Wei? on the 30C3 congress > (https://www.youtube.com/watch?v=1dhCDJ_LVuY). As Werner himself posted to GnuPG-Users just yesterday, 4096-bit is wildly unnecessary for the vast majority of users. In fact, there's a FAQ on it: https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 Please don't override the GnuPG defaults unless you have a clear and compelling reason for why RSA-2048 (the GnuPG default) is inappropriate for your users. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Thu Jun 26 01:11:02 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 25 Jun 2014 19:11:02 -0400 Subject: building gnupg master from git (oddities and workarounds) In-Reply-To: <53AB3F75.3040609@gmail.com> References: <87lhsksnv6.fsf@alice.fifthhorseman.net> <53AB3F75.3040609@gmail.com> Message-ID: <53AB5706.5080901@fifthhorseman.net> On 06/25/2014 05:30 PM, martijn.list wrote: > I'm using the following script with success: > > https://github.com/Wikinaut/utils/wiki#How_to_compile_GnuPG_gpg_from_the_github_sources That link is pretty odd. Despite the title of the "tip" referring to "the github sources", there is no mention of github at all. gnupg doesn't use github, afaict. It also seems to assume that all the network activity and code compilation is done as the superuser -- seems a bit risky! To be clear, i have successfully built gnupg from the git master, as a non-privileged user, using the commands i mentioned. The only thing i needed was the proper development libraries installed, which i'm working toward documenting separately (i needed to package and upload the latest version of libgpg-error to debian, but everything else was already available). I was reporting the issues so that they were known and documented; hopefully the process can be cleaned up a bit to make the build process from git even smoother, which might help encourage other people to contribute to the codebase. happy hacking, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1010 bytes Desc: OpenPGP digital signature URL: From ekleog at gmail.com Thu Jun 26 00:40:28 2014 From: ekleog at gmail.com (Leo Gaspard) Date: Thu, 26 Jun 2014 00:40:28 +0200 Subject: key length In-Reply-To: References: Message-ID: <20140625224028.GC15334@leortable> On Wed, Jun 25, 2014 at 10:13:04PM +0200, steve wrote: > Hi all, > we (GPGTools) had a brief meetup with Nico (he?s contributing to Enigmail) today. He suggested raising the key length default to 4096bit. The idea came via a suggestion from R?diger Wei? on the 30C3 congress (https://www.youtube.com/watch?v=1dhCDJ_LVuY). > We just changed the key length default to 4096bit for new keys created with GPG Keychain Access on OS X. > We are planning to adjust this default in MacGPG2 for the next stable release. > Are there any objections to this? Any drawbacks we didn?t think of? > Best regards, Steve > @GPGTools > https://gpgtools.org May I suggest to read... well, take a random message from the past month (on gnupg-users at gnupg.org), and that should be it. To put it in a nutshell, it's pointless, for weaknesses do not come from key length. The default (2048bit) is a perfectly reasonable default, and edge cases requiring longer keys should know how to raise key length. Raising the key length gives a greater feeling of security, not a greater security. BTW, this makes yet another reason to keep 2048bit as a default: people will be happy and think themselves smarter than anyone else when raising their key length, and perhaps even feel *more* secure than if the default was 4096bit (which is wrong, but a feeling of security is what most people crave in encryption; otherwise they would not bother to raise their key length). And, for the argument that RSA-768 was deemed secure: First, there are 2**2560 more keys in RSA-2048 than RSA-768 (yes, this is completely wrong, as it assumes a constant repartition of primes... 0.141 * 2**2560, that is approx. 2**2557 is closer, assuming Hadamard -- La Vall?e-Poussin is a good approximation for primes in this range [it is off by far fewer than 1% according to empirical studies] and any pair of primes makes a valid RSA key). Then, and this argument is a matter of opinion, I've got no numeric data to support it, but I believe even RSA-768 still cannot be broken by your wife to discover you cheated on her. It might be broken by three-letter agencies, but will they pay that much energy to read your shopping list? Please, please, do not answer this message. Or, if you really *really* want to do so, please consult http://bikeshed.com first (thanks to have made me discover this link, Doug). HTH, Leo From ueno at gnu.org Thu Jun 26 10:40:22 2014 From: ueno at gnu.org (Daiki Ueno) Date: Thu, 26 Jun 2014 17:40:22 +0900 Subject: gpgme 1.5.0 assumes gpgsm is always present if gpgconf is found Message-ID: Hi, I've just upgraded ruby-gpgme to gpgme 1.5.0 (from 1.4.3). For some reason, it locally rebuilds libgpg-error, libassuan, and gpgme tarballs. Currently the gpgme build is failing on Travis CI: gpgsm --import ./cert_g10code_test1.der /bin/bash: gpgsm: command not found make[3]: *** [pubring.kbx] Error 127 https://travis-ci.org/ueno/ruby-gpgme/jobs/28478544 (For more details, click 'after_failure' button at the bottom) Apparently this is because of the following commit: commit a4c80126ae4754c8478c69a8a24a6ffd975485fc Author: Werner Koch Date: Fri Aug 2 15:25:23 2013 +0200 Prefer GnuPG-2 engines over GnuPG-1. [...] The default engines names are now taken from the output of gpgconf. If gpgconf is not installed gpg 1 is assumed and locate the same was as gpgconf. This assumes that all GnuPG components are installed on the system, if gpgconf is available, but some distributions split packages for gpgsm, scdaemon, etc. The Travis build VM seems to use Ubuntu 12.04 LTS, where gpgsm is not installed. Regards, -- Daiki Ueno From wk at gnupg.org Thu Jun 26 17:34:37 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 26 Jun 2014 17:34:37 +0200 Subject: gpgme 1.5.0 assumes gpgsm is always present if gpgconf is found In-Reply-To: (Daiki Ueno's message of "Thu, 26 Jun 2014 17:40:22 +0900") References: Message-ID: <87wqc3d6r6.fsf@vigenere.g10code.de> On Thu, 26 Jun 2014 10:40, ueno at gnu.org said: > This assumes that all GnuPG components are installed on the system, if > gpgconf is available, but some distributions split packages for gpgsm, Right. I think it is much easier to install everything than to handle cases of missing tools. Given that for 2.1 dirmngr is required for gpg, libksba needs to be installed anyway and thus there is not much to safe by not installing gpgsm. However building gpgme should work without the modules being installed; I currently lack the time to look into this. Patches welcome. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Jun 26 17:46:28 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 26 Jun 2014 17:46:28 +0200 Subject: building gnupg master from git (oddities and workarounds) In-Reply-To: <87lhsksnv6.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 25 Jun 2014 17:03:41 -0400") References: <87lhsksnv6.fsf@alice.fifthhorseman.net> Message-ID: <87pphvd67f.fsf@vigenere.g10code.de> On Wed, 25 Jun 2014 23:03, dkg at fifthhorseman.net said: > configure: creating ./config.status > config.status: error: cannot find input file: `m4/Makefile.in' I just checked: m4/Makefile.am is in the repo and that configure creates Makefile.in from it. > I can work around this with: > > automake --add-missing That should not be required. In fact I accidently deleted my whole repo yesterday (and lost some stashes :-() and thus started from scratch without any problems. I always do VPATH builds and I use automake 1.11.6. > configure: WARNING: unrecognized options: --enable-mailto Just a reminder to consider re-adding mail based keyserver support. > Perhaps "automake --add-missing" should be run early on autogen.sh? No, I like to have all required stuff in the repo. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dkg at fifthhorseman.net Thu Jun 26 18:30:26 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 26 Jun 2014 12:30:26 -0400 Subject: building gnupg master from git (oddities and workarounds) In-Reply-To: <87pphvd67f.fsf@vigenere.g10code.de> References: <87lhsksnv6.fsf@alice.fifthhorseman.net> <87pphvd67f.fsf@vigenere.g10code.de> Message-ID: <53AC4AA2.4050809@fifthhorseman.net> On 06/26/2014 11:46 AM, Werner Koch wrote: > I just checked: m4/Makefile.am is in the repo and that configure creates > Makefile.in from it. hm, it didn't do that for me. >> I can work around this with: >> >> automake --add-missing > > That should not be required. In fact I accidently deleted my whole repo > yesterday (and lost some stashes :-() and thus started from scratch > without any problems. I always do VPATH builds and I use automake 1.11.6. I'm not sure what you mean by "VPATH builds", but i'm using automake 1.14.1. Perhaps that's the issue? I'm happy to test any proposed fixes that would make it build directly with this version. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1010 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Jun 26 21:39:32 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 26 Jun 2014 21:39:32 +0200 Subject: building gnupg master from git (oddities and workarounds) In-Reply-To: <53AC4AA2.4050809@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 26 Jun 2014 12:30:26 -0400") References: <87lhsksnv6.fsf@alice.fifthhorseman.net> <87pphvd67f.fsf@vigenere.g10code.de> <53AC4AA2.4050809@fifthhorseman.net> Message-ID: <87lhsjcvez.fsf@vigenere.g10code.de> On Thu, 26 Jun 2014 18:30, dkg at fifthhorseman.net said: > I'm not sure what you mean by "VPATH builds", but i'm using automake > 1.14.1. Perhaps that's the issue? I'm happy to test any proposed fixes Automake 13 is incompatible to old automake versions. They made the parallel tests driver the default for no good reason. GnuPG can't use those parallel tests. The autoconf option to switch back to serial tests is not available with automake 11 and thus there is no way to build with newer automakes unless you want to implement ugly M4 hacks to work around this. And with one of the next automake versions this hack may stop working. Those who need parallel tests should be able to enable them but enforcing their use (and they are completely incompatible to existing regression tests) is plain stupid. The autotools stuff works for 20 years and the configure updates required from time time were mostly harmless. This new default makes me really angry. AUTOMAKE_SUFFIX=-1.11 ./autogen.sh solves it for you (well after installing automake 1.11). VPATH is an old make feature to support out-of-source-tree builds. Some people use this term for the latter. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jun 30 18:33:03 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 30 Jun 2014 18:33:03 +0200 Subject: [Announce] GnuPG 2.0.25 released Message-ID: <87ioni5pds.fsf@vigenere.g10code.de> Hello! Wer are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.25. This release fixes a regression introduced with the 2.0.24 release. The GNU Privacy Guard (GnuPG) is the most commonly used tool for OpenPGP mail and data encryption. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.17) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We keep maintaining GnuPG-1 versions because they are useful on very old platforms and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). GnuPG-2 works best on GNU/Linux and *BSD systems but is also available for other Unices, Microsoft Windows, VMS, and Mac OS X. What's New in 2.0.24 ==================== * gpg: Fix a regression in 2.0.24 if more than one keyid is given to --recv-keys et al. * gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended key generation. * gpgsm: Fix a DISPLAY related problem with --export-secret-key-p12. * scdaemon: Support reader Gemalto IDBridge CT30. Getting the Software ==================== Please follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 2.0.25 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org and on its mirrors you should find the following new files in the gnupg/ directory: - The GnuPG-2 source code compressed using BZIP2 and its OpenPGP signature: gnupg-2.0.25.tar.bz2 (4201k) gnupg-2.0.25.tar.bz2.sig - A patch file to upgrade a 2.0.24 GnuPG source tree. This patch does not include updates of the language files. gnupg-2.0.24-2.0.25.diff.bz2 (12k) Note, that we don't distribute gzip compressed tarballs for GnuPG-2. A Windows version will eventually be released at https://gpg4win.org . Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.25.tar.bz2 you would use this command: gpg --verify gnupg-2.0.25.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.25.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.25.tar.bz2 and check that the output matches the first line from the following list: 890d77d89f2d187382f95e83e386f2f7ba789436 gnupg-2.0.25.tar.bz2 fd91161181f1f4cee2827cd2a08c47f382b4059b gnupg-2.0.24-2.0.25.diff.bz2 Documentation ============= The file gnupg.info has the complete user manual of the system. Separate man pages are included as well; however they have not all the details available in the manual. It is also possible to read the complete manual online in HTML format at https://www.gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://www.gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Almost all mail clients support GnuPG-2. Mutt users may want to use the configure option "--enable-gpgme" during build time and put a "set use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at: https://www.gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Jean-Ren? Reinhard, Olivier Levillain, and Florian Maury of ANSSI.fr found and reported the compression bug we fixed in 2.0.24. Jean-Ren? should have been mentioned in the original commit message. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From djhaskin987 at gmail.com Mon Jun 30 17:52:28 2014 From: djhaskin987 at gmail.com (Dan Haskin) Date: Mon, 30 Jun 2014 09:52:28 -0600 Subject: Where is ECC? Message-ID: I wonder how complete the support for the Ellyptic Curve Cryptography keys is. If incomplete, how can I contribute? I know it's not widely adopted, but I'm still really excited about it. Daniel Jay Haskin http://djhaskin987.github.io/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian.fiskerstrand at sumptuouscapital.com Mon Jun 30 19:00:15 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 30 Jun 2014 19:00:15 +0200 Subject: Where is ECC? In-Reply-To: References: Message-ID: <53B1979F.10003@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/30/2014 05:52 PM, Dan Haskin wrote: > I wonder how complete the support for the Ellyptic Curve > Cryptography keys is. If incomplete, how can I contribute? I know > it's not widely adopted, but I'm still really excited about it. > Daniel Jay Haskin http://djhaskin987.github.io/ Hi Dan, RFC6637 (ECC support) is included in the current development branch (git master, i.e. the 2.1 series) - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Docendo discimus We learn by teaching -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTsZebAAoJEPw7F94F4TagdssP/09qagJLMpC2izaZ5Qbq5spU wkmADWd+BzGvP6FmjhbOL1U6s4kRsfubhe3zFwVAeqqWQCMaYh+XhP4b1D4whMI5 PL8YQGJ2yUB8m0Yma2a+rDJzMwmuOdO1XoQcDYjxxscU0+60MUSSEOSnIiT1CeDE 0Dn0SF79pf6w0PR+QC417uREAw1fYkl7xjYS2ch6Y2xCunhQgOdAJi6c3zdi8A2d /bMhVBIopCcPxR6OtP3g7821QOjQ8yBfWIm2dMEYeso/Dc2F/nJBauRf0TUVABXW L5LXxWahAwdWqPRyqlyDiCibcYrmhBqdLGib5e6pMkfR1jNZYs9QH3yEXi93ZPVX UktAMV2aLe2fwCoQ7rckcC+6Y2uT2p4I24/8a0uM7BtOJuHCet1aFbEbvwzbZyYy qig6eaXkrHM3pRfDoYpbkpnOxQGmIDZf9evwOqe8GqoBkCZKtCyxQzKmM8Pymc7q JfuWCv6j5L0t55aKfGN8E3X9VQl2wt+ZIttcu04UwvBdzP5ZrKR9zEC+/p4lu3Dk qINiqKqdfuo3fCVJRJpCSupTRjV+DlizrNluMrQa+++VDQBHNe3SYel9MT3FcSuR jrGVgJbkJimlMCa8ZQGjQKYS0PSNGnLN8GT22ZrfQ8JnR9xgiine6sZRYo/uYcki tdwSrZBbeoFVnu0TXp4W =iuSQ -----END PGP SIGNATURE----- From wk at gnupg.org Mon Jun 30 20:37:29 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 30 Jun 2014 20:37:29 +0200 Subject: [Announce] GnuPG 1.4.18 released Message-ID: <87zjgu451y.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.18. This release fixes a regression introduced with the 1.4.17 release. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, smartcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build, and also better portable to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.23) it comes with no support for S/MIME, Secure Shell, or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. What's New =========== * Fix a regression in 1.4.17 if more than one keyid is given to --recv-keys et al. * Cap RSA and Elgamal keysize at 4096 bit also for unattended key generation. Getting the Software ==================== First of all, decide whether you really need GnuPG version 1.4.x - most users are better off with the modern GnuPG 2.0.x version. Then follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 1.4.18 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org and on its mirrors you should find the following new files in the *gnupg* directory: - The GnuPG source code compressed using BZIP2 and its OpenPGP signature: gnupg-1.4.18.tar.bz2 (3564k) gnupg-1.4.18.tar.bz2.sig - The GnuPG source code compressed using GZIP and its OpenPGP signature: gnupg-1.4.18.tar.gz (4930k) gnupg-1.4.18.tar.gz.sig - A patch file to upgrade a 1.4.16 GnuPG source tree. This patch does not include updates of the language files. gnupg-1.4.17-1.4.18.diff.bz2 (5k) Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: - GnuPG compiled for Microsoft Windows and its OpenPGP signature. This is a command line only version; the source files are the same as above. gnupg-w32cli-1.4.18.exe (1575k) gnupg-w32cli-1.4.18.exe.sig Note, that this is a minimal installer and unless you are only in need for the simple the gpg binary, you are better off using the full featured installer at https://www.gpg4win.org . Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.18.tar.bz2 you would use this command: gpg --verify gnupg-1.4.18.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com | gpg --import or using a keyserver like gpg --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.18.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.18.tar.bz2 and check that the output matches the first line from the following list: 41462d1a97f91abc16a0031b5deadc3095ce88ae gnupg-1.4.18.tar.bz2 ea7d66c3de7aaf46de9e8678f4fc4a8c329400b2 gnupg-1.4.18.tar.gz f30571f855b3ff8becff5378a884638da4c3cc9e gnupg-1.4.17-1.4.18.diff.bz2 579de2464528b436f39c5835e766867a1efa5fee gnupg-w32cli-1.4.18.exe Internationalization ==================== GnuPG comes with support for 29 languages. The Chinese (Simple and Traditional), Czech, Danish, Dutch, French, German, Norwegian, Polish, Romanian, Russian, Spanish, Swedish, Ukrainian, and Turkish translations are close to be complete. Support ======= Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . We also have a dedicated service directory at . The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, donating money, spreading the word, or answering questions on the mailing lists. Jean-Ren? Reinhard, Olivier Levillain, and Florian Maury of ANSSI.fr found and reported the compression bug we fixed in 2.0.24. Jean-Ren? should have been mentioned in the original commit message. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Mon Jun 30 21:09:01 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 30 Jun 2014 21:09:01 +0200 Subject: Where is ECC? In-Reply-To: <53B1979F.10003@sumptuouscapital.com> (Kristian Fiskerstrand's message of "Mon, 30 Jun 2014 19:00:15 +0200") References: <53B1979F.10003@sumptuouscapital.com> Message-ID: <87pphq43le.fsf@vigenere.g10code.de> On Mon, 30 Jun 2014 19:00, kristian.fiskerstrand at sumptuouscapital.com said: > RFC6637 (ECC support) is included in the current development branch > (git master, i.e. the 2.1 series) There is a beta version out but that one has problem to export keys. Windows support also works on the Windows command line. I hope to get a fixed beta out this week. Need to do some office stuff first, though. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.